A leading developer of Firefox has warned of a sneaky potential new form of phishing attack.
Aza Raskin, the creative lead for Firefox, explains that the approach exploits the fact that most surfers keep many tabs open during a browsing session, without really keeping track of what sites they have visited.
The so-called …

COMMENTS

Opera

Opera, presumably without any knowledge of this particular attack seeing as I'm not using a "snapshot" version, just the last regular update, does the best that you can expect - the title bar changes to "Gmail" (but then you can hardly regulate titlebar changes!) but the printed URL in the address bar and the favicon stay identical to the version which "loaded" originally.

Though it is more interesting than most of these techniques, again it only fools the unwary who have been and always will be at risk because they don't bother to check things properly. If people don't check for padlocks / green security bars / etc. then they are stuffed anyway. 99% of people *don't*. And if you just ignore security certificate warnings or click Yes, then you're stuffed too.

Follow the oldest rules of all: If you want to log in to GMail, type in www.gmail.com into your browser. Don't click a link. If something asks you to "login again", check it thoroughly, no matter if you "thought" you were logged in already. (Incidentally, the latest Opera stable plays merry hell with the Register logins and I'm constantly being asked to re-log-in).

About once every six months or so GMail asks me to log in again, and that freaks me out and I have to check why. And even the Google Adsense thing (which asks you to login but also has a "Click here if you're a Google Account user" link) arouses my suspicions immediately because I should damn well already be logged in so the sight of some login boxes makes me suspicious.

And those people who *don't* work like that should be using their browser's privacy features like autologin on sites because that way their details WON'T be automatically plugged in on anything but the sites they were intended for, and hence you will "spot" these problems quicker.

It's interesting, will likely catch a LOT of people out, but it's nothing that hasn't always been possible, and nothing you can really "fix" except by whacking people around the earhole.

Doesn't work here

Bah!

The case for Getting Rid Of JavaScript Altogether (G-ROJA) is getting stronger and stronger.

Ban it now. Turn it off in your browser and deal with the problem of JavaScript-based attacks by dealing with the attack vector at source.

Any other scheme is treating a symptom instead of the root cause of the malady.

"But my websites will have less shiny" you say.

"A proper web design doesn't need stupid client side tricks to get you to interact with the site, and you sure as hell don't need this pox-causing language *or* the nitwit "programs" that are written in it on your computer in order to buy shoes, books or tat off eBay" sezzeye.